Page 1 of 1

Wordpress 2.1.1 backdoored

Posted: Mon Mar 05, 2007 3:10 am
by Mordred
The news
The details

While the intrusion was apparently successful (meaning it went unnoticed), the backdooring attempt was quite naive (eval and passthru, for smurf's sake, way to go, Captain Obvious). Luckily this was caught on time, I wonder what would have happened if the backdoor was a more covert one (and one has just to look at that obfuscated PHP thread to find plenty of better possibilities).

This is what happened some years ago with the Linux kernel: http://kerneltrap.org/node/1584, it was caught in the dev CVS, way before it could do any damage.

In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/

Posted: Mon Mar 05, 2007 8:42 am
by Jenk
"The month of PHP Bugs" ? Did I miss something?

Re: Wordpress 2.1.1 backdoored

Posted: Mon Mar 05, 2007 8:55 am
by infolock
Mordred wrote:In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/

Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs. :roll:

As for the exploit, it doesn't suprise me much. That's why I really don't use 3rd party apps. They are usually poorly written and don't involve much security checks or data validations.

As for obfuscation, that isn't exactly the show stpoping way to stop exploits from happening. It's merely a way to disguise code, not protect it. It can be used, but it has it's obvious pros and cons.

Re: Wordpress 2.1.1 backdoored

Posted: Mon Mar 05, 2007 9:06 am
by Chris Corbyn
infolock wrote:
Mordred wrote:In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/

Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs. :roll:
If you read it, it is related to PHP, not 3rd-party apps :?

Basically, the PHP developers have sat on their hands despite numerous notices and supplied patches (hardened PHP) and now it's all being made public in frustration.

Posted: Mon Mar 05, 2007 9:07 am
by Mordred
infolock wrote:Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs.
PHP Bugs = bugs in the PHP core, which means they are exploitable in many applications, not just one.
infolock wrote:As for obfuscation, that isn't exactly the show stpoping way to stop exploits from happening. It's merely a way to disguise code, not protect it. It can be used, but it has it's obvious pros and cons.
I was actually talking "from the other side", obfuscation as a means to stop the DISCOVERY of backdoors, not as a protection mechanism in application coding.
Jenk wrote:"The month of PHP Bugs" ? Did I miss something?
Yep, 5 days and 11 bugs ;)

Posted: Mon Mar 05, 2007 10:02 am
by Jenk
No, I mean the phrase "Month of PHP Bugs" .. it sounds like an annual occurance or something.

Posted: Mon Mar 05, 2007 10:29 am
by Maugrim_The_Reaper
It's based on a few other "Month of Bugs" events - the idea is to post one bug per day for a month (or more if you have them). So far Stefan Esser with some contributions (folk who had bugs which were bogused, unreported or something else) have racked up a 2:1 ratio. 11 bugs over 5 days. Expect a PHP version update by early April since I assume the patches are flying into CVS, and if not damn well should be...

Thankfully the Wordpress issue was not PHP related - someone managed to gain access to one of the servers and got write access to the download. An interesting read though - I wonder how long that cracker had user access?

Basically, the PHP developers have sat on their hands despite numerous notices and supplied patches (hardened PHP) and now it's all being made public in frustration.
It's all so cool. I know Stefan can be blunt, hostile and even plain rude but he's usually 99% right when it comes to the facts surrounding PHP and security. That he left the security team for PHP a while back I'd consider a severe blow to PHP security. I guess once you get ignored and sidelined enough times anyone would do the same. I mean the guy has spent years working on Hardened-PHP and Suhosin, and gets ignored by the PHP developers? Kind of hard to explain reasonably, his bug reports so far are detailed, easy to grasp and come with a few quick use cases.

Posted: Mon Mar 05, 2007 10:56 am
by RobertGonzalez
Stefan seems like his heart is in the right place. And I would agree that the PHP team has really not given his findings the attention they should have. But I begin to wonder if there is not a better outlet for his way of speaking out to the community? I am not sure what that way is, but I thinking that there has to be a better way to bring attention to the potential security implications of the webs most popular development language without making the core team look so freaking lazy.

Posted: Mon Mar 05, 2007 11:22 am
by Maugrim_The_Reaper
I don't think there is. Some of those bugs have been sitting around for a long time. There were internal decisions not to fix them, since they were never perceived as bugs, except by people like Stefan. The only response to such stubborn resistence is to take things off the internals and bug tracker and let them go wild. It's not even unfair - the PHP developers were told about them but chose not to fix them. I find it all totally weird - stuff that can crash and allow remote exploits sitting around unpatched? Honestly, it's either because of ignorance, carelessness or some inner-circle social struggle - and none of those three are attractive qualities in a professional development team.

It does stink a bit more when you consider there's a non-official patch to make PHP more secure. Shouldn't PHP be capable of standing on it's own without a crutch?

Re: Wordpress 2.1.1 backdoored

Posted: Mon Mar 05, 2007 11:42 am
by infolock
d11wtq wrote:
infolock wrote:
Mordred wrote:In other news, the Month of PHP Bugs has started, take your blood pressure pills before reading: http://www.php-security.org/

Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs. :roll:
If you read it, it is related to PHP, not 3rd-party apps :?

Basically, the PHP developers have sat on their hands despite numerous notices and supplied patches (hardened PHP) and now it's all being made public in frustration.

Oh contrare ;) I read it. The issue is that the guy who cracked wordpress.org's server rewrote their script. since it was because the guy rewrote it in a way such that he was parsing url $_GET data and executing it, that doesn't constitute a php vulnerability, it makes it a network admin security issue.

Again, this is not a php core issue mordred. it's a 3rd party issue since it was the server that got hacked. the guy didn't gain access via a php core issue, but via the network.



edit: Heh, guess I just reitterated what Maugrim_The_Reaper said.

Posted: Mon Mar 05, 2007 11:48 am
by infolock
Mordred wrote:
infolock wrote:Not sure this is related to PHP Bugs, but more or less to 3rd party applications and developer bugs.
PHP Bugs = bugs in the PHP core, which means they are exploitable in many applications, not just one.
infolock wrote:As for obfuscation, that isn't exactly the show stpoping way to stop exploits from happening. It's merely a way to disguise code, not protect it. It can be used, but it has it's obvious pros and cons.
I was actually talking "from the other side", obfuscation as a means to stop the DISCOVERY of backdoors, not as a protection mechanism in application coding.
Jenk wrote:"The month of PHP Bugs" ? Did I miss something?
Yep, 5 days and 11 bugs ;)


1) it's not a php core issue. re-read the article.

2) ahhh, gotcha ;)

3) Again, i'm not sure this is php core-related but 3rd party app-related..

Posted: Mon Mar 05, 2007 4:00 pm
by Mordred
About 1) and 3)
Mordred wrote:In other news, the Month of PHP Bugs has started ...
I just chose not to "spam" the board with two topics, so I merged them.
Maugrim_The_Reaper wrote:It does stink a bit more when you consider there's a non-official patch to make PHP more secure. Shouldn't PHP be capable of standing on it's own without a crutch?
That's the problem in a nutshell, and I think Stefan Esser is completely right and justified (even if a bit bitter) about what he's doing.
Everah wrote:But I begin to wonder if there is not a better outlet for his way of speaking out to the community?
I believe that this is the only (left) choice - after all he did disclose them, when the response was not adequate he did offer the community a solution. There is a good essay by Bruce Schneier on full disclosure and responsible disclosure. The thing is, responsible disclosure only works because of the threat of full disclosure, and since in that case the responsibly disclosed reports were ignored, the only option left is for the threat of full disclosure to be applied in practice. So sad to see this happen with a open source project, and an useful one at that :(

Debating Full Disclosure, Bruce Schneier

Posted: Tue Mar 06, 2007 2:53 am
by Maugrim_The_Reaper
It's interesting to note some of these bugs are all pre5.2.1 - someone decided to get off their ass and fix them before the MOB arrived. So in that respect the threat of an MOB had a real effect - it forced the PHP Developers to fix some of the bugs before they were widely publicised. If something has such an effect, it's difficult to find a good reason to argue against it.

Posted: Tue Mar 06, 2007 10:42 am
by RobertGonzalez
Maugrim_The_Reaper wrote:If something has such an effect, it's difficult to find a good reason to argue against it.
I agree with that. It just gives the appearance of a rift in the PHP development community, which for a long time has seemed to be a very tightly knit group of friendly geeks working together for the betterment of the project and the community.

Don't get me wrong. I think the vulnerabilities need to be taken seriously (which they weren't) and they need to be addressed (which they are now). I was just tossing that opinion of mine out there. I would never argue, though, that was Stefan is wrong or misguided. He did what was necessary to get the core team to open their eyes to a need to fix what is broken. That will always get kudos from me.